ERM at skyguide and interface with BCM

Transcription

1 ERM at skyguide and interface with BCM - Fachveranstaltung Netzwerk Risikomanagement - Aarburg, 8 September J. Schulte, Enterprise Risk Manager

2 Content overview of skyguide company activities and services enterprise risk management at skyguide overall ERM process extended ERM interface ERM-BCM at skyguide page 2

3 Skyguide's synopsis page 3

4 Skyguide's shareholders (2015) total share capital CHF 140 millions. Swiss confederation 99,94 % aeronautical associations, 0,06 % airport owners, cantons and cities, unions page 4

5 Income statement ANS (2016) 40.7 Mn skyguide is financed by Mn CHF Mn Mn Routes charges Landing charges Military compensation Routes charges (60.5%) Landing charges for cat. I & II airports (30.3%) Military compensation (9.2%) page 5

6 Human resources (as of 31 December 2016, in FTE) skyguide offers 1'426 full time jobs 43.6 Safety, Security, Quality (incl ATCOs) Operations* Finances & Services Engineering & Technical Services Corporate Development Human Resources 0 Safety, Security, Quality Operations Finances & Services Engineering & Technical Services Corporate Development Human Resources Directorate 32.7 Directorate** * including trainees ** includes Corporate Communication and Innovation & Change page 6

7 skyguide's locations Munich Civil locations Military locations Zurich Kloten St.Gall Altenrhein Dübendorf Grenchen Emmen Payerne Bern Belp Alpnach Buochs Meiringen Geneva Cointrin Lyon Sion Locarno Lugano Agno Milano page 7

8 IFR traffic all skyguide centres (in number of IFR flights, source : CFMU) page 8

9 Swiss and delegated Airspace Reims 41 % outside CH Karlsruhe Munich Paris 59 % inside CH Vienne Aix-en- Provence Milano / Roma Padova page 9

10 Content overview of skyguide company activities and services enterprise risk management at skyguide overall ERM process extended ERM interface ERM-BCM at skyguide page 10

11 Skyguide's ERM in a nutshell Scope of skyguide's ERM - All events that may affect skyguide's ability to achieve its objectives - Whole skyguide organisation (cross-departmental framework) ERM introduced in skyguide end of 2006 ERM set up as management tool for prioritizing risks and for supporting risk-based decision making ERM integrated in skyguide's overall planning process (in particular strategic planning) ERM composed of 2 fundamental steps : risk assessment and risk response Risk reviews done twice a year and reported at EB and BoD level ERM process supported by specific tool (R2C) available throughout the entire company page 11

12 Two possible ways for RM Need for RM Skyguide has chosen to implement a Qualitative RM Quantitative RM Qualitative RM Needs a lot of effort/investments Huge historical data set required Relies on intuition and know how of staff Partly subjective Not feasible for SME* Feasible for SME* * SME = Small and Medium Enterprises page 12

13 Added-value of ERM Through reporting of risks from departments/processes/ projects/programs, get overall view of risk portfolio at skyguide By improving awareness of RM in skyguide and by using RM as a tool in (daily) management, be able to manage most important risks in a systematic way and hence improve decisionmaking Develop measures to manage risks in order to support the achievement of skyguide's objectives page 13

14 Process 0 Risk Management Framework : Risk Policy Statement Risk Policy Directive Risk Organisation Process incl. Methodology Reporting and Tools 1 Risk Identification Risk Assessment 4 Risk Monitoring and Review 5 Communication and Training 2 Risk Evaluation Risk Response 3 Risk Treatment page 14

15 Bow-Tie Model 1 Causes (or sources) Cause 1 Causes, event and consequences are described in a risk scenario Consequences (or effects) Consequence 1 Scope of ERM Cause 2 Event Consequence 2 Cause 3 Consequence 3 Cause 4 Preventive measures (action on causes) Protective measures (action on consequences) Consequence 4 Preventive measure act first on probability or likelihood Protective measure act first on impact or consequences A risk scenario should be understood as a "credible worst case scenario" : a remote but not impossible scenario with significant impact page 15

16 Risk Evaluation 2 Risk Evaluation Measure risks impact (or severity ) : using predefined criteria e.g. financial impact and non financial impact (on corporate and strategic objectives, reputational, etc.) likelihood (or probability of occurrence) : using the same time horizon as for severity, order of magnitude (rather than precise number) given by the most knowledgeable people interdependency and correlation between risks (portfolio effect) Risk map page 16

17 Risk Treatment 3 Risk Treatment Risk Map / Heat Map for Prioritization and selection of RM measures Avoid/Eliminate Accept/Retain/Bear Reduce/Hedge/Mitigate Insure Transfer (i.e. outsource) impact low high 2 all options may apply depending on nature of risk and risk appetite although Accept/Retain/Bear is limited because risk is mostly driven by external factor beyond management control (earthquake, etc.); contingency planning vital here 4 risks in this quadrant are usually Accepted at their present level; risks in this quadrant may be over-mitigated implying that resources could be allocated to other more significant risks 1 all options may apply depending on nature of risk and risk appetite 3 risks in this quadrant are often related to day-to-day operations and compliance issues (legal and regulatory); steps should be taken to Reduce their likelihood low high likelihood page 17

18 Risk Treatment 3 Avoid/Eliminate Accept/Retain/Bear Risk Treatment Reduce/Hedge/Mitigate Insure Transfer (i.e. outsource) I) Avoid/ Eliminate II) Reduce/ Hedge/Mitigate III) Insure Total Risk Example Residual Risk after Measures I, II and III Risk Exposure (how much we currently have) Total Risk I) Avoid/ Eliminate Risk after Measure I II) Reduce/ Hedge/ Mitigate Risk after Measure I and II Costs of Measures Costs of Total Risk + Residual Risk III) Insure Residual Risk after Measures I, II and III Risk Tolerance (how much we should have, how much we can bear) page 18

19 ERM extension - Concept Corporate Risk escalation (reporting lower-level risks which are above the threshold), aggregation (combining together identical risks) and reconciliation (avoiding counting same risk twice) are part of the approach. Organisational level Business process level Project / program level organisational level (corporate) Threshold Threshold Threshold Threshold Threshold Operations Engineering & technical services Safety, Security, Quality Finance & Services Directorate Processes O risks (O consolidation) OV risks, OL risks AIM risks STC risks C3.1 C3.5 (separately) C3.1 C3.4.1 C3.4.2 C3.6.1 C3.6.2 skyguide national risks C3.2 C3.3 Technical risks Projects/Programs Project/Program risks C3.8 S risks Physical security risks M1.1 M1.3 M2 M1.4 Financial risks M4.2 M4.3 E5.3 Infrastructure risks E5.1 Corporate IT risks E5.4 Corporate Development Strategic M1.2 risks M1.14 M3 E5.2 E5.5 D risks Reputational risks Human Resources HR risks M1.2 M1.15 M4.1 C1 C2 M1.10 E5.6 organisational level (department, division or business unit) business process level, program/project level page 19

20 Tool used at skyguide to support the whole ERM process page 20

21 Content overview of skyguide company activities and services enterprise risk management at skyguide overall ERM process extended ERM interface ERM-BCM at skyguide page 21

22 Process cycle - Harmonisation of ERM-CM-COS-IM-AM Crisis organisation management Audit management Risk management Contingency planning Issue management page 22

23 The Bow Tie model in ERM, BCM & COS Causes Consequences (potential COS Events) Cause 1 Disruptive Event Consequence 1 Scope of ERM Cause 2 Cause 3 Consequence 2 Consequence 3 Cause 4 Preventive measures (action on causes) Protective measures (action on consequences) Consequence 4 Risk Mitigation Measures & Business Continuity Plans Prevention Preventive measures act first on probability or likelihood Recovery Protective measures act first on impact or consequences page 23

24 Interface of the BCM Process with ERM & Procedure view COS ERM Analysis BCP? Y N 1 Design 2 Implementation 3 update risk mitigation actions end BCPs 1 In the Analysis phase a Business Impact Analysis (BIA) is conducted for each mission critical service as well as for projects or events that have been identified as BIA relevant 2 In the Design phase the Maximum Tolerable Period of Disruption (MTPD) and the Recovery Time Objective (RTO) are decided. After a gap analysis strategic and/or tactical options are identified that enable the RTO to be achieved. 3 In the Implementation phase, a Business Continuity Plan is drafted together with a planning team, that usually will also have the role of the incident response team if needed 4 In the Validation phase, the BCP is reviewed, maintained and tested through exercises in order to deliver its benefits in case of a crisis Validation 4 COS page 24

25 All risks are obvious when you know what to look for page 25